California Passes Prop 24: Privacy Rights Act

What Prop 24 Actually Did

Prop 24, approved by California voters in 2020, amended and expanded the CCPA rather than replacing it from scratch. Think of it as a major software update, not a factory reset. The original CCPA had already given Californians rights to know what personal information businesses collect, request deletion in many cases, and opt out of the sale of personal information. Prop 24 kept that foundation but added sharper tools and stricter rules.

The most important upgrade was philosophical as much as legal. The law moved California privacy policy closer to a modern data-rights model. Instead of focusing only on whether data was “sold,” the CPRA also targeted “sharing” for cross-context behavioral advertising. That was a huge deal because many digital advertising practices had long avoided the scarier word “sale” while still moving consumer data around like luggage at a crowded airport.

The law also recognized that not all personal information is equally sensitive. Your favorite pizza topping is one thing. Your precise geolocation, health information, race, ethnicity, religious beliefs, text contents, or financial account credentials are another beast entirely. Prop 24 created a category called sensitive personal information and gave Californians the right to limit how businesses use and disclose it in many situations.

Why the California Privacy Rights Act Was a Bigger Deal Than It Sounded

It created a dedicated privacy cop on the beat

Before Prop 24, enforcement lived primarily with the California Attorney General. After Prop 24, California established the California Privacy Protection Agency, or CPPA, the first standalone state agency in the nation focused on privacy enforcement and rulemaking. That was not a symbolic flourish. It was a structural shift.

When a state creates an agency devoted to privacy, it signals that privacy is no longer a side dish served next to consumer protection. It is the entrée. The CPPA can investigate, audit, issue regulations, and bring administrative enforcement actions. In other words, Prop 24 did not merely write new rules. It built an institution to keep them from collecting dust.

It expanded the rights Californians can actually use

The CPRA added the right to correct inaccurate personal information. That may sound modest until you remember how much modern life runs on data profiles. If a company has your address wrong, your job title wrong, your household profile wrong, or your purchasing behavior badly guessed, that can affect marketing, pricing, customer service, and sometimes more serious decisions. A right to correct is a practical right, not just a nice slogan on a government website.

Consumers also gained a clearer right to stop businesses from using or disclosing sensitive personal information beyond what is reasonably necessary to provide goods or services. That matters in an economy where “just because we can collect it” has too often been treated as a business plan.

It pushed data minimization into the spotlight

One of the most important, and often overlooked, parts of Prop 24 is its embrace of purpose limitation and data minimization. Businesses are expected to limit collection, use, retention, and sharing of personal information to what is reasonably necessary and proportionate for disclosed purposes. That is privacy law’s version of cleaning out the garage and asking why you still own three broken lamps and a mystery cable from 2009.

For years, companies often operated under a quiet assumption: collect first, figure it out later, maybe keep it forever just in case the spreadsheet gods demand it. Prop 24 pushed back on that habit. If you do not need the data, why are you hoarding it like a digital dragon?

The Biggest Consumer Rights Under Prop 24

1. The right to know

Californians can ask what categories and specific pieces of personal information a business has collected, where that information came from, why it was collected, and which categories of third parties received it. This is the “show me the receipts” part of privacy law.

2. The right to delete

Consumers can request deletion of personal information, subject to exceptions for things like security, fraud prevention, completing transactions, legal compliance, and certain internal uses. It is not an absolute eraser, but it is a meaningful control.

3. The right to correct

This was one of the headline additions. If a business maintains inaccurate information, consumers can ask that it be corrected. That sounds almost painfully reasonable, which is probably why it took so long to become a formal right.

4. The right to opt out of sale or sharing

The CPRA expanded the opt-out right beyond sales to include sharing for cross-context behavioral advertising. That means a company cannot dodge the rule simply by saying, “Relax, we did not sell your data, we just handed it around for targeted ads.” Cute try. The law saw that coming.

5. The right to limit use of sensitive personal information

This is where Prop 24 really sharpened its teeth. If a business uses sensitive personal information for purposes beyond what is necessary to provide requested goods or services, consumers can direct the business to limit that use. The law recognizes that some data points deserve more than ordinary caution.

6. The right to non-discrimination and no retaliation

Consumers cannot be punished for exercising their privacy rights in unlawful ways. Businesses may still offer certain financial incentives under the law, but the broad message is clear: people should not have to choose between basic privacy rights and fair treatment.

What Businesses Had to Change

Prop 24 was not just a consumer-rights press release with legal footnotes. It imposed concrete obligations on businesses that meet the law’s thresholds. Covered companies generally include for-profit businesses doing business in California that meet revenue or data-volume triggers, or derive a large share of revenue from selling or sharing personal information.

For businesses, compliance stopped being a matter of posting a privacy policy nobody reads and calling it a day. The CPRA pushed companies to revisit notice language, data maps, vendor contracts, retention schedules, internal workflows for rights requests, and ad-tech practices.

Service providers, contractors, and third parties also came under stronger scrutiny. Contracts now matter even more because they help define who can do what with personal information and under what conditions. The days of “our vendor handles that” being treated like a magic spell grew less magical.

Another important change involved employee and business-to-business data. Temporary exemptions that had softened the law in those areas expired after 2022. That meant personal information connected to employees, job applicants, and many business contacts moved more fully into the compliance spotlight. HR departments, recruiting teams, procurement functions, and enterprise sales groups all had to pay attention. Privacy was no longer just a consumer-app issue.

The Timeline That Actually Matters

Privacy laws love a complicated timeline the way toddlers love asking “why” fourteen times in a row. Here is the version normal humans can use.

California voters approved Prop 24 in November 2020. The CPRA became operative on January 1, 2023, with most new rules applying to personal information collected on or after January 1, 2022. Civil and administrative enforcement for the new and amended provisions was set to begin on July 1, 2023.

The implementing regulations were approved in March 2023, and enforcement timing later got tangled in litigation. A trial court initially delayed enforcement of those amended regulations, but a 2024 appellate decision restored the agency’s authority to enforce them as of July 1, 2023. So while the road was bumpier than a shopping cart with one bad wheel, the broader takeaway is simple: the law is real, enforceable, and not theoretical.

How Prop 24 Changed the Ad-Tech Conversation

One of the smartest moves in Prop 24 was recognizing that data ecosystems rarely announce themselves with a giant neon sign reading We Are Selling You. Digital advertising is built on flows of data across sites, apps, services, and networks. By regulating “sharing” for cross-context behavioral advertising, California closed a gap that had made privacy enforcement harder under a sale-only model.

This mattered for cookie banners, opt-out links, privacy controls, and browser-based signals such as the Global Privacy Control. It also mattered for data brokers, publishers, martech stacks, and brands that rely on third-party ad infrastructure. In practice, many companies had to ask uncomfortable but necessary questions: Who receives our data? Why? Under what contract? Does this count as sharing? Can a consumer turn this off without running an obstacle course?

Those questions are not glamorous, but they are where compliance lives. Privacy law is rarely defeated by philosophical disagreement. It is usually defeated by bad data maps, messy contracts, lazy defaults, and five departments pointing at each other like a sitcom fire drill.

Common Myths About Prop 24

Myth: Prop 24 killed all targeted advertising.
Reality: No. It regulated key data uses and gave consumers more power to opt out, but it did not outlaw personalized advertising altogether.

Myth: Only giant tech platforms need to care.
Reality: Plenty of retailers, SaaS companies, employers, digital publishers, data brokers, and service-heavy businesses can be affected if they meet the thresholds or play certain roles in data processing.

Myth: Consumers can sue over every privacy violation.
Reality: The private right of action remains limited, primarily tied to certain data breach situations. Most enforcement still runs through regulators.

Myth: Compliance is just about the privacy policy.
Reality: Compliance touches product design, engineering, HR, marketing, procurement, records management, vendor oversight, and customer support. A polished policy with chaotic operations behind it is basically privacy theater.

Real-World Impact: What This Means for Consumers and Companies

For consumers, Prop 24 means more visibility into how personal information moves behind the curtain. It gives people stronger tools to say no, fix bad data, and limit especially sensitive processing. It also helps normalize the idea that privacy rights should be understandable and usable, not buried in a 9,000-word notice that reads like it was drafted by a committee trapped in an elevator.

For businesses, the law means privacy can no longer be treated as a periodic legal cleanup project. It has to be operational. Teams need to know what data they collect, how long they keep it, where it goes, and whether those practices match what they tell consumers. That is not just a compliance burden. Done well, it can become a trust advantage.

And that may be the most interesting legacy of Prop 24. It pushed privacy closer to product quality and brand credibility. Companies that treat consumer data carefully look more competent. Companies that treat data like confetti look exactly like the sort of companies legislators like writing new rules about.

Experiences Related to California Passes Prop 24: Privacy Rights Act

The following experiences are illustrative, reality-based scenarios drawn from the kinds of compliance, consumer, and operational changes that businesses and Californians have faced under the CPRA.

Imagine a California shopper who starts using browser privacy tools and notices that some websites suddenly react differently. On one site, the ads get less eerily specific. On another, a clean “Do Not Sell or Share My Personal Information” option finally appears without being hidden like a treasure map clue. For that person, Prop 24 is not an abstract policy debate. It feels like regaining a little control in a digital world that usually acts as if tracking is the natural order of the universe.

Now imagine an in-house privacy lead at a midsize retailer. Before Prop 24, the company’s data practices lived in silos. Marketing knew one set of vendors. Product analytics knew another. Customer service kept information longer than expected because no one wanted to delete anything that might someday be useful. Then the CPRA arrives and suddenly everyone needs answers. What counts as sensitive personal information? Which partners are service providers, and which are third parties? Do retention periods actually match what is written in the privacy notice? The experience is not glamorous, but it is transformative. The law forces the company to see itself more clearly.

HR teams felt the shift too. Once the employee and business-to-business exemptions expired, privacy conversations moved beyond consumer-facing apps and into job applications, recruiting workflows, internal records, and vendor contact databases. Employers that once thought privacy was “for websites” had to realize that employee data is still personal data. That was a meaningful cultural change. Suddenly, privacy was showing up in onboarding documents, HR notices, and internal training sessions, not just footer links.

Another common experience has been operational frustration followed by overdue cleanup. Businesses often discover that their hardest problem is not responding to a consumer request. It is locating all the data in the first place. One team uses a CRM, another uses spreadsheets, another uses a third-party platform, and someone in a forgotten corner still exports reports into a folder named “Final_Final_UseThisOne.” Prop 24 has pushed organizations to untangle those messy systems. Painful? Yes. Necessary? Also yes.

Consumers, meanwhile, have had a mixed but important experience. Some have found that exercising privacy rights is becoming easier, especially when businesses honor browser-based preference signals and provide clearer controls. Others still run into friction, extra steps, or confusing language. But even that tension says something important: the law changed expectations. Californians are increasingly aware that asking questions about their data is normal, legitimate, and protected. That shift in attitude may be just as valuable as any single statutory provision.

In that sense, the experience of Prop 24 is not only about regulations, agencies, or enforcement dates. It is about a gradual rewiring of the relationship between people and the companies that collect their information. The law did not magically eliminate bad privacy habits. But it made sloppy data practices harder to defend, stronger consumer rights easier to demand, and privacy governance much harder to ignore. For a ballot measure with a technical name, that is a surprisingly human legacy.

Conclusion

California’s Prop 24 was not just another state ballot measure with legal jargon and administrative fine print. It marked a major evolution in U.S. privacy law. By expanding rights, tightening business obligations, and creating the CPPA, California signaled that privacy is no longer a niche issue for regulators and corporate counsel alone. It is a mainstream consumer expectation and a core business accountability issue.

The law’s long-term impact reaches beyond California because the modern data economy does not respect state borders nearly as much as compliance departments wish it would. Prop 24 helped reshape the national privacy conversation by showing what a more mature, more enforceable, and more consumer-centered framework can look like. The message was simple, even if the statutory language was not: if you profit from personal information, you owe people more transparency, more control, and fewer excuses.